7.5:adm:synchronization

Synchronization

Synchronization can be configured in Systems → system detail (magnifying glass sign) → Synchronization. If it is desired to add a new synchronization for the system, use the green Add button. It the configuration of already set synchronization is to be done, the magnifying glass sign should be clicked on.  synchronizations list

Synchronization is used for acquiring data from the connected system to CzechIdM. There are two modes of synchronization:

  • Reconciliation - Synchronization of all available objects of specified time.
  • Synchronization - If the token is specified, e.g. timestamp, only objects that has changed since last synchronization are synchronized.

 Synchronization options
In the basic setting there are those option:

  • Allowed - only allowed synchronizations can be started, either manually or as scheduled tasks
  • Reconciliation - see above
  • Name - name of your choice
  • Set of mapped attributes - those are attributes from attributes mapping prepared earlier.
  • Token - the values is the token of the last synchronization run. If the token is e.g. timestamp, the value can be time of last synchronization run. It is recommended to leave the option its current value.
  • Description - optional description of the synchronization definition

 Synchronization operations

During the process of synchronization object on connected system and entities in CzechIdM are compared and the state for every object is computed:

  • Linked - Object and Entity has been previously (by synchronization or manually) linked. The following actions can be performed on object and entity in this situation:
    • Update entity: This updates the CzechIdM entity linked to the connected system object. The update is done on the basis of synchronization attribute mapping. After saving the entity, the standard provisioning is called.
    • Update account: This calls the standard provisioning. Synchronization only calls the event, it does not perform provisioning itself. So if the provisioning is asynchronous, the synchronization does not wait for the provisioning to finish.
    • Remove link: This deletes the link between the CzechIdM entity and connected system object. It does not perform editing of the CzechIdM entity itself, it does not call provisioning.
    • Remove link and appropriate roles: This removes the links, as in the previous case. In case of CzechIdM identity it also removes roles that are linked with this account.
    • Ignore: This action does not perform any active operation.
  • Not Linked - This is a situation when there is no link between the entity in CzechIdM and object in connected system. Since the link does not exist yet, the identity has been found using a correlation attribute. The correlation attribute can be any attribute from the attribute mapping of synchronization. The correlation attribute is always required in current version of CzechIdM, since the object vs entities states are computed before operations take place. The following actions can be performed in Not Linked situation:
    • Create link: This creates a link between CzechIdM entity and object. Editing of the identity itself is not done, provisioning is not called.
    • Create link and update account: A link is created in the same way as in the previous case. In addition, the account on the end system is updated - an event for running provisioning is called.
    • Ignore: This action does not perform any active operation.
  • Missing Entity - This is a situation when there is no entity in CzechIdM matching object in the connected system. The following actions can be performed in this situation:
    • Create entity: creates an entity in CzechIdM and a link it to object in connected system. The creation is done based on the attribute mapping chosen in synchronization configuration. The creation of entity calls provisioning.
    • Ignore: This action does not perform any active operation.
  • Missing Account - This is a situation when there is no object on the end system matching the entity in CzechIdM. The following actions can be performed in this situation:
    • Create account: Synchronization calls entity provisioning, which leads to creation of an object on the connected system.
    • Remove entity: This deletes the entity in CzechIdM and the link to object in connected system.
    • Remove link: This deletes the link between the entity in CzechIdM and object in connected system. Editing of the entity itself is not done, provisioning is not called.
    • Remove link and appropriate roles: This removes the links, as in the previous case, however, it also removes the linked identity roles. In other words, it removes the roles which were assigned to the identity by the account.
    • Ignore: This action does not perform any active operation.